[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Fri Mar 27 08:10:23 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0ad8a889 by security tracker role at 2020-03-27T08:10:15+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,59 @@
+CVE-2020-10994
+ RESERVED
+CVE-2020-10993 (Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader. ...)
+ TODO: check
+CVE-2020-10992 (Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorMa ...)
+ TODO: check
+CVE-2020-10991 (Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXml ...)
+ TODO: check
+CVE-2020-10990 (An XXE issue exists in Accenture Mercury before 1.12.28 because of the ...)
+ TODO: check
+CVE-2020-10989
+ RESERVED
+CVE-2020-10988
+ RESERVED
+CVE-2020-10987
+ RESERVED
+CVE-2020-10986
+ RESERVED
+CVE-2020-10985
+ RESERVED
+CVE-2020-10984
+ RESERVED
+CVE-2020-10983
+ RESERVED
+CVE-2020-10982
+ RESERVED
+CVE-2020-10981
+ RESERVED
+CVE-2020-10980
+ RESERVED
+CVE-2020-10979
+ RESERVED
+CVE-2020-10978
+ RESERVED
+CVE-2020-10977
+ RESERVED
+CVE-2020-10976
+ RESERVED
+CVE-2020-10975
+ RESERVED
+CVE-2020-10974
+ RESERVED
+CVE-2020-10973
+ RESERVED
+CVE-2020-10972
+ RESERVED
+CVE-2020-10971
+ RESERVED
+CVE-2020-10970
+ RESERVED
+CVE-2020-10969 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
+ TODO: check
+CVE-2020-10968 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
+ TODO: check
+CVE-2020-10967
+ RESERVED
CVE-2020-XXXX [RUSTSEC-2020-0006: bumpalo: Flaw in `realloc` allows reading unknown memory]
- rust-bumpalo <unfixed>
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0006.html
@@ -322,18 +378,18 @@ CVE-2020-10830 (An issue was discovered on Samsung mobile devices with P(9.0) an
NOT-FOR-US: Samsung mobile devices
CVE-2020-10829 (An issue was discovered on Samsung mobile devices with O(8.0), P(9.0), ...)
NOT-FOR-US: Samsung mobile devices
-CVE-2020-10828
- RESERVED
-CVE-2020-10827
- RESERVED
-CVE-2020-10826
- RESERVED
-CVE-2020-10825
- RESERVED
-CVE-2020-10824
- RESERVED
-CVE-2020-10823
- RESERVED
+CVE-2020-10828 (A stack-based buffer overflow in cvmd on Draytek Vigor3900, Vigor2960, ...)
+ TODO: check
+CVE-2020-10827 (A stack-based buffer overflow in apmd on Draytek Vigor3900, Vigor2960, ...)
+ TODO: check
+CVE-2020-10826 (/cgi-bin/activate.cgi on Draytek Vigor3900, Vigor2960, and Vigor300B d ...)
+ TODO: check
+CVE-2020-10825 (A stack-based buffer overflow in /cgi-bin/activate.cgi while base64 de ...)
+ TODO: check
+CVE-2020-10824 (A stack-based buffer overflow in /cgi-bin/activate.cgi through ticket ...)
+ TODO: check
+CVE-2020-10823 (A stack-based buffer overflow in /cgi-bin/activate.cgi through var par ...)
+ TODO: check
CVE-2020-10822
RESERVED
CVE-2020-10821 (Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter. ...)
@@ -614,7 +670,7 @@ CVE-2020-10795
RESERVED
CVE-2020-10794
RESERVED
-CVE-2020-10793 (CodeIgniter through 4.0.0 allows remote attackers to gain privileges v ...)
+CVE-2020-10793 (** DISPUTED ** CodeIgniter through 4.0.0 allows remote attackers to ga ...)
- codeigniter <itp> (bug #471583)
CVE-2020-10792 (openITCOCKPIT through 3.7.2 allows remote attackers to configure the s ...)
NOT-FOR-US: openITCOCKPIT
@@ -3415,8 +3471,8 @@ CVE-2020-9523
RESERVED
CVE-2020-9522
RESERVED
-CVE-2020-9521
- RESERVED
+CVE-2020-9521 (An SQL injection vulnerability was discovered in Micro Focus Service M ...)
+ TODO: check
CVE-2020-9520 (A stored XSS vulnerability was discovered in Micro Focus Vibe, affecti ...)
NOT-FOR-US: Micro Focus Vibe
CVE-2020-9519 (HTTP methods reveled in Web services vulnerability in Micro Focus Serv ...)
@@ -3530,10 +3586,10 @@ CVE-2020-9470 (An issue was discovered in Wing FTP Server 6.2.5 before February
NOT-FOR-US: Wing FTP Server
CVE-2020-9469
RESERVED
-CVE-2020-9468
- RESERVED
-CVE-2020-9467
- RESERVED
+CVE-2020-9468 (The Community plugin 2.9.e-beta for Piwigo allows users to set image i ...)
+ TODO: check
+CVE-2020-9467 (Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php reque ...)
+ TODO: check
CVE-2020-9466 (The Export Users to CSV plugin through 1.4.2 for WordPress allows CSV ...)
NOT-FOR-US: Export Users to CSV plugin for WordPress
CVE-2020-9465 (An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before ...)
@@ -4490,10 +4546,10 @@ CVE-2020-9068
RESERVED
CVE-2020-9067
RESERVED
-CVE-2020-9066
- RESERVED
-CVE-2020-9065
- RESERVED
+CVE-2020-9066 (Huawei smartphones OxfordP-AN10B with versions earlier than 10.0.1.169 ...)
+ TODO: check
+CVE-2020-9065 (Huawei smart phone Taurus-AL00B with versions earlier than 10.0.0.203( ...)
+ TODO: check
CVE-2020-9064 (Huawei smartphone Honor V30 with versions earlier than OxfordS-AN00A 1 ...)
NOT-FOR-US: Huawei
CVE-2020-9063
@@ -4842,8 +4898,8 @@ CVE-2020-8925
RESERVED
CVE-2020-8924
RESERVED
-CVE-2020-8923
- RESERVED
+CVE-2020-8923 (An improper HTML sanitization in Dart versions up to and including 2.7 ...)
+ TODO: check
CVE-2020-8922
RESERVED
CVE-2020-8921
@@ -4868,8 +4924,8 @@ CVE-2020-8912
RESERVED
CVE-2020-8911
RESERVED
-CVE-2020-8910
- RESERVED
+CVE-2020-8910 (A URL parsing issue in goog.uri of the Google Closure Library versions ...)
+ TODO: check
CVE-2020-8909
RESERVED
CVE-2020-8908
@@ -7091,8 +7147,8 @@ CVE-2020-7946
RESERVED
CVE-2020-7945
RESERVED
-CVE-2020-7944
- RESERVED
+CVE-2020-7944 (In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, cha ...)
+ TODO: check
CVE-2020-7943 (Puppet Server and PuppetDB provide useful performance and debugging in ...)
- puppet <unfixed> (low)
[stretch] - puppet <no-dsa> (Minor issue)
@@ -8603,8 +8659,8 @@ CVE-2020-7262
RESERVED
CVE-2020-7261
RESERVED
-CVE-2020-7260
- RESERVED
+CVE-2020-7260 (DLL Side Loading vulnerability in the installer for McAfee Application ...)
+ TODO: check
CVE-2020-7259
RESERVED
CVE-2020-7258 (Cross site scripting vulnerability in McAfee Network Security Manageme ...)
@@ -9069,6 +9125,7 @@ CVE-2020-7065
CVE-2020-7064
RESERVED
CVE-2020-7063 (In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below ...)
+ {DLA-2160-1}
- php7.4 7.4.3-1
- php7.3 7.3.15-1
[buster] - php7.3 <postponed> (Minor issue, can be fixed along in a future DSA)
@@ -9078,6 +9135,7 @@ CVE-2020-7063 (In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x
NOTE: Fixed in PHP 7.4.3, 7.3.15, 7.2.28
NOTE: PHP Bug: http://bugs.php.net/79082
CVE-2020-7062 (In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below ...)
+ {DLA-2160-1}
- php7.4 7.4.3-1
- php7.3 7.3.15-1
[buster] - php7.3 <postponed> (Minor issue, can be fixed along in a future DSA)
@@ -9272,8 +9330,8 @@ CVE-2020-7001 (In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the affe
NOT-FOR-US: Moxa
CVE-2020-7000
RESERVED
-CVE-2020-6999
- RESERVED
+CVE-2020-6999 (In Moxa EDS-G516E Series firmware, Version 5.2 or lower, some of the p ...)
+ TODO: check
CVE-2020-6998
RESERVED
CVE-2020-6997 (In Moxa EDS-G516E Series firmware, Version 5.2 or lower, sensitive inf ...)
@@ -15675,8 +15733,8 @@ CVE-2020-4278 (IBM Platform LSF 9.1 and 10.1, IBM Spectrum LSF Suite 10.2, and I
NOT-FOR-US: IBM
CVE-2020-4277
RESERVED
-CVE-2020-4276
- RESERVED
+CVE-2020-4276 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is ...)
+ TODO: check
CVE-2020-4275
RESERVED
CVE-2020-4274
@@ -17016,8 +17074,8 @@ CVE-2020-3938 (SysJust Syuan-Gu-Da-Shih, versions before 20191223, contain vulne
NOT-FOR-US: SysJust Syuan-Gu-Da-Shih
CVE-2020-3937 (SQL Injection in SysJust Syuan-Gu-Da-Shih, versions before 20191223, a ...)
NOT-FOR-US: SysJust Syuan-Gu-Da-Shih
-CVE-2020-3936
- RESERVED
+CVE-2020-3936 (UltraLog Express device management interface does not properly filter ...)
+ TODO: check
CVE-2020-3935 (Secom Co. Dr.ID, a Door Access Control and Personnel Attendance Manage ...)
NOT-FOR-US: Secom Co. Dr.ID
CVE-2020-3934 (Secom Co. Dr.ID, a Door Access Control and Personnel Attendance Manage ...)
@@ -17046,10 +17104,10 @@ CVE-2020-3923 (DVR firmware in TAT-76 and TAT-77 series of products, provided by
NOT-FOR-US: DVR firmware in TAT-76 and TAT-77 series
CVE-2020-3922 (LisoMail, by ArmorX, allows SQL Injections, attackers can access the d ...)
NOT-FOR-US: LisoMail
-CVE-2020-3921
- RESERVED
-CVE-2020-3920
- RESERVED
+CVE-2020-3921 (UltraLog Express device management software stores user’s inform ...)
+ TODO: check
+CVE-2020-3920 (UltraLog Express device management interface does not properly perform ...)
+ TODO: check
CVE-2019-19916 (In Midori Browser 0.5.11 (on Windows 10), Content Security Policy (CSP ...)
NOT-FOR-US: Midori Browser
CVE-2019-19915 (The "301 Redirects - Easy Redirect Manager" plugin before 2.45 for Wor ...)
@@ -22701,8 +22759,8 @@ CVE-2020-1802
RESERVED
CVE-2020-1801
RESERVED
-CVE-2020-1800
- RESERVED
+CVE-2020-1800 (HUAWEI smartphones P30 with versions earlier than 10.0.0.185(C00E85R1P ...)
+ TODO: check
CVE-2020-1799
RESERVED
CVE-2020-1798
@@ -23015,8 +23073,8 @@ CVE-2019-19366 (A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cd
NOT-FOR-US: FusionPBX
CVE-2019-19365
RESERVED
-CVE-2020-1764
- RESERVED
+CVE-2020-1764 (A hard-coded cryptographic key vulnerability in the default configurat ...)
+ TODO: check
CVE-2020-1763
RESERVED
CVE-2020-1762
@@ -27670,6 +27728,7 @@ CVE-2020-0558
CVE-2020-0557
RESERVED
CVE-2020-0556 (Improper access control in subsystem for BlueZ before version 5.54 may ...)
+ {DSA-4647-1}
- bluez 5.50-1.1 (bug #953770)
NOTE: https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/
NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
@@ -36117,14 +36176,12 @@ CVE-2019-15798
RESERVED
CVE-2019-15797
RESERVED
-CVE-2019-15796 [python-apt: Check that repository is trusted before downloading from it]
- RESERVED
+CVE-2019-15796 (Python-apt doesn't check if hashes are signed in `Version.fetch_binary ...)
{DSA-4609-1 DLA-2074-1}
- python-apt 1.8.5
NOTE: https://salsa.debian.org/apt-team/python-apt/commit/b4eef110b7ba4fb21cc0dd92585756f50e0100c9 (1.8.5)
NOTE: https://salsa.debian.org/apt-team/python-apt/commit/e3321eb9792bf3b4cace4cee47dc6da00fbee929 (1.8.5)
-CVE-2019-15795 [python-apt: Do not use MD5 for verifying downloads]
- RESERVED
+CVE-2019-15795 (python-apt only checks the MD5 sums of downloaded files in `Version.fe ...)
{DSA-4609-1 DLA-2074-1}
- python-apt 1.8.5
NOTE: https://salsa.debian.org/apt-team/python-apt/commit/e175130e51c2b0424f3dfeb825e3dc598fec1a24 (1.8.5)
@@ -68400,8 +68457,8 @@ CVE-2019-5107 (A cleartext transmission vulnerability exists in the network comm
NOT-FOR-US: WAGO
CVE-2019-5106 (A hard-coded encryption key vulnerability exists in the authentication ...)
NOT-FOR-US: WAGO
-CVE-2019-5105
- RESERVED
+CVE-2019-5105 (An exploitable memory corruption vulnerability exists in the Name Serv ...)
+ TODO: check
CVE-2019-5104
REJECTED
CVE-2019-5103
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ad8a8895599b1f5ea308b23462664359c39af7f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ad8a8895599b1f5ea308b23462664359c39af7f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200327/a657451b/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list